2 UHI25/03/2017UHI advertisingUHI is important for the Highlands & Islands region and is an exciting place to workYou want to hear about IDMI want to talk about UHI and what we are doing30 slides in 45 minutes: 90 seconds per slideSo I will press on to the IDM part quite quicklyAnd it may be that I am talking to a future colleague amongst you so I want you to remember UHI as well as IDM!Jem Taylor

3 UHI25/03/2017UHI Mission“To establish for the Highlands and Islands of Scotland a collegiate university which will reach the highest standards and play a pivotal role in our educational, economic, social and cultural development”The Highlands and Islands of Scotland is the largest European region which has no local University. HE is recognised as a key motor for the economy – in due time we expect UHI to become the largest single economic motor in our region, overtaking Local Government.Jem Taylor

5 UHI25/03/2017A short history …1993: The University of the Highlands and Islands Project “UHIp”A dozen partners including 8 FE colleges, a NERC research institute, a statutory body, an industry-funded college, etcAll partners have an independent IT history and therefore a dozen different legaciesI am still just advertising UHI to you …Jem Taylor

6 UHI25/03/2017The Dark Ages …1995: kilostream-based connections between UHI’s Academic PartnersShared JANET connectionVery basic for a very few staffUHI employs its first three staff10 years agoJem Taylor

8 Early Modern History … 1998:UHI WAN projectUHI25/03/2017Early Modern History …1998:UHI WAN projectHigh Speed networking – 45Mbit/secInterim upgrades to 2Mbit/secUHI needed to build a WAN so as to be able to …Share facilities and costs across UHIShare costs of JANET & Internet accessOne WWW server, many ‘web sites’other ‘server’ facilities - eg.Videoconferencing across data networkReduce other costseg. telephony costs on PSTNEnable Campus-style collaborative workingRapid development phase – lots of capital, even more challenging problems (i.e. lots is not always enough)Jem Taylor

9 UHI’s territory covers over half of Scotland 1/6th of the UK’s area UHI25/03/2017Check the map scale …150 milesUHI’s territory covers over half of Scotland1/6th of the UK’s area1/60th of the UK’s total population.HE + FE accessed by about 25,000 distinct people every yearMost FE students are ‘low FTE’300 milesXmas lightsJem Taylor

10 The UHI NetworkUHI25/03/2017ClydeNetSoLAbMANEastMANFATMANJANETUHI staff & students are connected by high bandwidth networkinternet, , telephone and video conferencingEffectively a regional ‘campus LAN’ organised by location rather than by departmentMultiple ‘private’ IP data networksInternal telephony for UHIFuture proof: Video; student broadcasting etc.UHI LIS looks after shared/common systemsShared corporate systemsSingle internal eDirectoryQuite a lot like a conventional campus University with independently-minded departments: typical of the older universities in the UK, except that they are large, established and wealthy.Jem Taylor

11 UHI Today … April 2001: an HEI with SHEFC fundingUHI25/03/2017UHI Today …April 2001: an HEI with SHEFC fundingAY 2004/5: over 3,800 student FTEs50% over age 25, 50%:50% gender balance, more than 5,200 enrolmentsNew Year 2005: moved to new HQ, this time moving about 70 staff over weekend2007: University title ?My department – Learning and Information Services – has about 30 staff and is slowly out-growing the building we are about to move out of.Jem Taylor

16 Why ? Save IT and Library staff trouble?UHI25/03/2017Why ?Save IT and Library staff trouble?It does, but that is not why we are doing itMake sure all students are enrolled?YESMake Student Records a *management tool* for the business instead of being just a record of what has already happened Jem Taylor

17 UHI25/03/2017When ?Allocate accounts *before* enrolment so as to assist induction processesAs soon as details are availableOnly applies to students who go through some kind of records processing before enrolmentNo help for ‘walk-ins’ (but nothing is)Lock accounts on the day individual students are *due* to leave (planned expiry)No ‘summer gap’ for continuing studentsNo summer clearouts anymore: only delete expired accounts, and should be able to do so in-year Jem Taylor

21 UHI25/03/2017Comparison: Siva1Home-made: very flexible but requires in-house effort for maintenance and developmentCreate-only: seek and ignore existing accountsDeals with Students onlyLogic for user account defaults is in java code‘pliers’ utility to get data from SITS: unreliableAlthough Java code, method for GroupWise is Windows™ only: would prefer to be on LinuxJem Taylor

22 Comparison: IDM + Siva2 Identity Manager Siva2UHI25/03/2017Comparison: IDM + Siva2Identity ManagerManufacturer supported: drivers available for other systems tooCreate or Modify logic, including changing end-date / withdrawalSITS:Vision source for Staff as well as StudentsNew ORACLE based ‘minerva’ utility for feeder: more robustWill be able to feed other future ID sources into the same placeUses eDirectory template objects to define defaults for new usersRuns natively on Novell NetWare, Windows™ and Linux platformsWeb-based control interfaces based on iManagerSiva2Will run from triggers in the eDirectory APIWill not care how user is created: will fire for manual createsCan do anything, including modify eDirectory accountsJem Taylor

24 What about Citrix? Citrix likes Active Directory UHI25/03/2017What about Citrix?Citrix likes Active Directory We decided to offer a UHI-wide Active Directory …In parallel with e-Directory, not instead ofWith the same content in both technologiesOur service offering is now Content instead of Technology Our users can use either (any) technologyOur job is to assure & sync the informationJem Taylor

26 Citrix needs to login to NetWare…UHI25/03/2017Citrix needs to login to NetWare…Citrix uses Active Directory authn But all Home Drives (H:) are NetWare Citrix has tools for login to both worlds But it doesn’t work ‘out of the box’ because we need Location at Login …Behind the scenes, LDAP contextless login fails – Citrix can’t find the user’s e-Directory context Jem Taylor

27 UHI25/03/2017Call a consultant !If all our users lived in the same context Citrix would work just fine … With IDM, they can !A bespoke IDM driver maintains a ‘secret’ area in the e-Directory …This is a flat space with an alias for each user …All users appear in the same context Jem Taylor

28 IDM to the rescue! All users appear in the same context …UHI25/03/2017IDM to the rescue!All users appear in the same context …All users are also in their real context …Novell choice dialogue at normal login So …Carefully hide the Aliases container from all e-Directory users except IDM & CitrixTake care not to break aliasesTighten up so that all users are maintained by IDM (not by technicians) Jem Taylor

29 UHI25/03/2017Next UpBread & butter IDM becomes responsibility of records-oriented staff who know the dataHandle withdrawals etc. based on Academic Regulations (policy basis)Provide more subtle information based on the information content of the student recorde.g. to run Sharepoint need up-to-the-minute Groups management in the DirectorySame communities as in Siva but distinct IDM flowCommon vocabulary so staff (users) can understandJem Taylor

30 Technology Designer for Identity Manager on Windows XPUHI25/03/2017TechnologyDesigner for Identity Manager on Windows XPVery good toolHas all the basic driversUse to control and deploy, as well as to designIDM3 on NetWare/EDFor eDirectory accountsFor GroupWise accountsIDM3 on W2003/AD+EDFor AD accountsJem Taylor

31 Development IDM platformUHI25/03/2017Development IDM platformSame scale and structure as the real environmentWant to be able to copy IDM drivers back and forth easilyDesigner for Identity ManagerDrivers dataflow and modificationIDM3 on NetWare/EDVNC view of DSTRACEIDM3 on W2003/AD and W2003/EDVNC view of dstraceiManagerControl of migration, driver On/Off, etcBig fat VMware server with half a dozen virtual serversDevelopment environment is an important system worth resourcingJem Taylor